Accessing MySQL with PHP
Download
Report
Transcript Accessing MySQL with PHP
Accessing MySQL with PHP
IDIA 618
Fall 2014
Bridget M. Blodgett
Querying You Database
• MySQL isn’t picky about what accesses it so long as it
provides a valid username and password
• The process plays out the same as it would with a
console or other application:
–
–
–
–
–
–
Connect to MySQL.
Select the database to use.
Build a query string.
Perform the query.
Retrieve the results and output it to a web page.
Repeat Steps 3 to 5 until all desired data have been
retrieved.
– Disconnect from MySQL.
Login File
• It is possible to connect to MySQL in each PHP
file that requires a database query
– But this isn’t the most secure method
• Making one file that does all you connecting
works much better
– This file is then included in any other file that
must connect
• The information may need to be altered based
upon how your servers are set up
Login File
• The important thing is to keep the login
information within <?php ?> tags (ideally on a
page with no HTML markup at all)
– If these aren’t between the php tags then your
login information may be accessible as HTML if
someone loads the page
• Much like functions this also makes updates
easier
Connecting to MySQL
• Any file that needs MySQL can now include
the login.php file as a require_once
• mysqli is a PHP object and requires four pieces
of information: server location, username
password, and database
• You want to check if a FALSE is returned which
signifies that it failed to connect
– Die is a way to show there was an error and pass
along the code
Building and Executing a Query
• There is a built in query function in PHP
making it simple to query MySQL
– As long as you pass this a well formed query
• This function can only be used to send
complete queries, not partial ones
• The results of the query are placed in the
$results variable
Fetching A Result
• The returned results are a resource not
plaintext or a string
– It is possible to call individual cells that are wanted
for the results
• However this can require a lot of calls to the
results
– fetch_assoc() can be more efficient
– This works by putting each cell in the row into an
array labeled with the column name
Closing a Connection
• You never want to leave a connection hanging
open it uses up valuable resources
• If you keep opening connections on your
pages and not closing them you risk crashing
your server(s)
• close() function does this effectively for
connections
• free() works on results from a query
Integrating PHP and MySQL
• The basic queries can be combined or subnested to perform multiple queries in nested
PHP
• Always make sure to clean up any user input
to prevent SQL injection errors
– There are many types of escape characters that
can execute
– Using mysql_real_escape_string() can
prevent this problem
Placeholders
• One way to make a secure code without using
the real escape string
• Predefine a query using ? characters then pass
the user generated data to it
– This avoids generating queries and directly inserts
the information into the database
• How can we alter the book example from
earlier to make use of this?
HTML Injection
• Much like SQL injections having open forms
also allows attacks against HTML and
JavaScript
• htmlentities function strips out any HTML
markup and replaces them with the more
harmless display codes
– <script src='http://x.com/hack.js'>
</script><script>hack();</sc
ript>